Azure AD Domain Service
features
- Simplified deployment experience: Azure AD DS is enabled for your Azure AD tenant using a single wizard in the Azure portal.
-
Integrated with Azure AD: User accounts, group memberships, and credentials are automatically available from your Azure AD tenant. New users, groups, or changes to attributes from your Azure AD tenant or your on-premises AD DS environment are automatically synchronized to Azure AD DS.
- Accounts in external directories linked to your Azure AD aren't available in Azure AD DS. Credentials aren't available for those external directories, so can't be synchronized into an Azure AD DS managed domain.
- Use your corporate credentials/passwords: Passwords for users in Azure AD DS are the same as in your Azure AD tenant. Users can use their corporate credentials to domain-join machines, sign in interactively or over remote desktop, and authenticate against the Azure AD DS managed domain.
- NTLM and Kerberos authentication: With support for NTLM and Kerberos authentication, you can deploy applications that rely on Windows-integrated authentication.
-
High availability: Azure AD DS includes multiple domain controllers, which provide high availability for your managed domain. This high availability guarantees service uptime and resilience to failures.
- In regions that support Azure Availability Zones, these domain controllers are also distributed across zones for additional resiliency.
Azure AD Managed Service Identity
All Azure resources that support managed identities can obtain tokens to exchange data without having credentials in the code. The process consists of the following steps:
- Enable – Create the Managed Identity for the resource.
- Grant access – Allow access to resources with Azure RBAC.
- Access - Perform the allowed actions.
- Disable – Delete the Managed Identity.
Managed identity types
- System-assigned managed identity
- User-assigned managed identity
Azure AD Connect
編集中
Conditional Access
The modern security perimeter now extends beyond an organization's network to include user and device identity. Organizations can utilize these identity signals as part of their access control decisions.
Azure AD Privileged Identity Management (PIM)
Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Azure AD, Azure, and other Microsoft Online Services like Office 365 or Microsoft Intune.
Key feature
- Provide just-in-time privileged access to Azure AD and Azure resources
- Assign time-bound access to resources using start and end dates
- Require approval to activate privileged roles
- Enforce multi-factor authentication to activate any role
- Use justification to understand why users activate
- Get notifications when privileged roles are activated
- Conduct access reviews to ensure users still need roles
- Download audit history for internal or external audit
License requirements
Azure AD Premium P2 license
Azure AD Identity Protection
Identity Protection is a tool that allows organizations to accomplish three key tasks
- Automate the detection and remediation of identity-based risks.
- Investigate risks using data in the portal.
- Export risk detection data to third-party utilities for further analysis.
Permissions
| Role | Can do | Can't do |
|---|---|---|
| Global administrator | Full access to Identity Protection | |
| Security administrator | Full access to Identity Protection | Reset password for a user |
| Security operator | View all Identity Protection reports and Overview blade Dismiss user risk, confirm safe sign-in, confirm compromise |
Configure or change policies Reset password for a user Configure alerts |
| Security reader | View all Identity Protection reports and Overview blade | Configure or change policies Reset password for a user Configure alerts Give feedback on detections |
License requirements
| Capability | Details | Azure AD Premium P2 | Azure AD Premium P1 | Azure AD Basic/Free |
|---|---|---|---|---|
| Risk policies | User risk policy (via Identity Protection) | Yes | No | No |
| Risk policies | Sign-in risk policy (via Identity Protection or Conditional Access) | Yes | No | No |
| Security reports | Overview | Yes | No | No |
| Security reports | Risky users | Full access | Limited Information | Limited Information |
| Security reports | Risky sign-ins | Full access | Limited Information | Limited Information |
| Security reports | Risk detections | Full access | Limited Information | No |
| Notifications | Users at risk detected alerts | Yes | No | No |
| Notifications | Weekly digest | Yes | No | No |
| MFA registration policy | Yes | No | No |
Azure AD B2C
A customer identity access management (CIAM) solution capable of supporting millions of users and billions of authentications per day. It takes care of the scaling and safety of the authentication platform, monitoring and automatically handling threats like denial-of-service, password spray, or brute force attacks. 
Single sign-on access with a user-provided identity
Third-party identity verification and proofing
